​Recently had a customer with an Exchange 2013 Hybrid config require updating an expired SSL certificate. When they imported the new certificate and assigned it SMTP services, mail flow from on-premises to Office 365 stopped.

This was because the on-premises send connector to Office 365 was still configured to look for that expired certificate (which had also been deleted already).

The fix was to perform the following:

Open Exchange Management Shell on the on-premises Exchange server

Run Get-ExchangeCertificate, and note the Thumbprint of the correct certificate to be used.

Run $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>

Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)

​Last month, in June 2014, the Exchange Team announced that Office 365 would soon have the public folder hierarchy folder count limit raised from 10,000 folders to 100,000 folders. This limit increase would begin to take effect in July, 2014.

But how can you tell what your tenant’s current folder count limit is?

Open a remote PowerShell session to your Office 365 tenant

Run the following command:Get-Mailbox -PublicFolder | Get-MailboxStatistics | fl FolderHierarchy*

Once you verify the app it will prompt you to verify each time you log in:

Apple iOS

Google Android

Windows Phone

Once you choose a verification method and complete the verification steps, you’ll need to generate an App password. Office apps and mobile apps (like mail) must use this password instead of your normal password and it’s recommended you generate an app password for each device you intend to use.

Once completed, you can always come back to this URL to make changes to your profile, change your password, or add additional authentication methods. You can also use this portal to access applications like SharePoint Online and Exchange Online (OWA).

To Enable MFA for users in bulk

After clicking Set-up for Multi-factor authentication from the Users and Groups page, click the Bulk Update button.

This will prompt you to provide a CSV file that contains two column headings: Username & MFA Status. A sample CSV file is displayed below:

Username, MFA Status

chris@contoso.com, Enabled

ben@contoso.com, Disabled

kyle@contoso.com, Disabled

kenny@contoso.com, Enabled

eric@contoso.com, Enabled

After you import the CSV file and complete the update process, you’ll need to notify each user to go to the http://aka.ms/MFASetup web page to configure their multi-authentication verification methods.

To Enable MFA via Remote PowerShell

You can use the following PowerShell commands to enable or enforce multi-factor authentication for a single user, all users, or a bulk list of users via CSV. You must use the Windows Azure Active Directory Module for Windows PowerShell. You can find instructions on downloading and installing this module here.

The commands:

#Establish the StrongAuthenticatonRequirement object with the required RelayingParty settings for Office 365

Active Directory Preparation

Before you can begin synchronizing your Active Directory with Office 365 using DirSync, you must first ensure that directory objects meet specific formatting criteria. This ensures that attribute values are unique and that invalid characters and formatting of such attributes as sAMAccountName, displayName, proxyaddresses, etc are formatted correctly for synchronization into Azure Active Directory for your Office 365 tenant.

You must also ensure that each user’s UserPrincipalName value and proxyAddresses values contains a domain that is publicly routable (i.e. user@contoso.com and not user@contoso.local). I recommend setting each user’s UPN to match their default SMTP address for simplicity.

To do this, I recommend using the IDFix tool provided by Microsoft. You can down load it at http://aka.ms/Tqmbxm.

The IDFix tool queries your Active Directory and returns all user, contact and group objects and lists their property values for

sAMAccountName

givenName

sn (surname)

displayName

Mail

mailNickname

proxyAddresses

targetAddress

userPrincipalName

If any of these values contains data that will not synchronize (such as a space in the mailNickname or non-routable UPN) it will attempt a best-effort to suggest an updated value. You can also manually input the updated value you require for your migration. Then, you can use the IDFix tool to not only apply those updates individually or in bulk, you can also revert those changes if necessary.

You can also export the data to a csv file that you can massage inside Excel, reimport into the tool, and then apply changes.

I recently presented a session on the Phases of Messaging Deployment for Office 365 at an Ignite training event at Microsoft’s offices in Dallas. I want to share the information I presented in a series of blog posts covering what I see as the four distinct phases of a migration project from on-premises Exchange to Office 365 and Exchange Online.

Using Office 365 can significantly increase your organization’s internet traffic. To prepare for this, you must be sure you have the bandwidth to support all of the following activities:

Client Network Traffic

Mailbox Migration

Desktop Setup

NAT & Port Exhaustion

Client Network Traffic

Microsoft provides a useful Java-based tool hosted in Windows Azure (note the cloudapp.net URLs below) called the Fast Track Network Analysis tool. This tool performs a number of tests on your internet connection between you and your Office 365 tenant (you must provide the tenant name to begin the tests) including port availability, route summary and performance, speed, consistency of service and VoIP quality readiness among others.

You should run this tool from each distinct office location where users will access your Office 365 tenant.

Another useful tool you’ll want to employ is the Exchange Client network Bandwidth Calculator. This Excel spreadsheet allows you to input known data about number and types of clients (Outlook versions, OWA, ActiveSync, etc) and the time zones each of these clients are located. It also uses the familiar User Profile definitions seen in the Exchange Server Role Requirements Calculator that defines usage patterns of your users. The results are a graphical prediction of the amount of bandwidth you’ll need during each hour of the day in order to support all of your users accessing their Office 365 content.

Desktop Setup Bandwidth Impact

If you plan on deploying Office 365 Pro Plus (aka Office 2013) to your users – and even if you’re planning on keeping Office 2007/2010 – there may be bandwidth implications to consider here as well.

Office 2010 (and to a diminishing extent, Office 2007) fully support connectivity with Office 365 resources but require some additional patches and software to do so. You can find a list of required patches in the Office 365 Community web site here and here. In addition to the patches, you must also install the Microsoft Online Services Sign-In Assistant. This tool provides an improved sign-in experience for end users accessing Office 365 services, especially if ADFS is used for Single Sign-In.

If your users have local admin rights on their computers, they can install these patches themselves by logging into the Office 365 portal (https://portal.microsoftonline.com) and navigating to the software section to run Desktop Setup. This tool will analyze the computer to determine which patches need to be installed and perform that installation automatically.

Office 365 Pro Plus (Office 2013) supports connectivity to Office 365 “out of the box”. So once you have installed this version of Office, you’re ready to connect to Office 365.

However, if you plan on deploying Office 365 Pro Plus Click-To-Run, there may still be network bandwidth impact. Again, if your users have local admin rights on their computers, you can allow them to use the self-service portal to install Office Pro Plus. Because this installation method is based on the App-V model, it will stream down the bits of the software and allow users to begin using the application within minutes. Too many users installing all at once can have a significant impact on your internet bandwidth availability.

To mitigate this, or in cases where your users have no local admin rights to their computers, you can use the Office Deployment Tool. This tool allows you to stage the installation bits onto an on-premises file server for instance and use a software deployment tool such as System Center or other third-party deployment tool to install the software on users’ computers.

Mailbox Migration Velocity

Many factors can influence how fast you can migrate a mailbox to Office 365. Among them are:

MRSProxy Throttling – Your throughput for a single mailbox move will be in the 0.3-1.0 GB/hour range. Maximum average throughput per hour is 10-15GB (100 concurrency). Microsoft will not remote these throttling policies since they’re intended to protect service availability from being impacted by large amounts of users moving to the service. More info: http://technet.microsoft.com/en-us/library/jj204570.aspx

Available On-Premises Bandwidth: – If your mailbox migrations must compete with other user internet traffic for bandwidth, your own connection may become a bottleneck. In these instances, you can setup multiple endpoints to multiple source datacenters (if you have them) to spread the migration load.

Finally, consider how many users you have behind a single public IP address NAT. Outlook clients can use 8 or more connections to Office 365 – more if you consider 3rd-party add-ins (like the social connector that links to LinkedIn and Facebook). With 64,000 available ports behind a single NAT – that means a maximum of 8,000 Outlook users can utilize that NAT – and that’s assuming there aren’t any firewall or proxy servers reserving ports for other uses.

My next post will take up the topic of assessing your on-premises Active Directory and Exchange environments.

This scenario applies to hybrid configurations when moving mailboxes from on-premises to Office 365.

Whenever you see the error in the migration log that says “Unable to update Active Directory information for the source mailbox at the end of the move” it means that when the mailbox move completed, MRS could not disable the mailbox on the on-premises Exchange server and then RemoteMailbox-enable the user account as a cloud mailbox.

This results in two mailboxes – the original one on-premises and the new one in the cloud. However, the on-premises mailbox is inaccessible and autodiscover gets invalid information to setup the outlook profile.

To resolve this, perform these steps manually on the on-premises Exchange server in the Exchange Management Shell: